Kaifeng Huang created ZEPPELIN-3938:
---------------------------------------
Summary: Your project apache/zeppelin is using buggy third-party
libraries [WARNING]
Key: ZEPPELIN-3938
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3938
Project: Zeppelin
Issue Type: Bug
Reporter: Kaifeng Huang
Hi, there!
We are a research team working on third-party library analysis. We have found
that some widely-used third-party libraries in your project have major/critical
bugs, which will degrade the quality of your project. We highly recommend you
to update those libraries to new versions.
We have attached the buggy third-party libraries and corresponding jira issue
links below for you to have more detailed information.
1 org.apache.commons commons-lang3
(zeppelin-interpreter/pom.xmlz,zeppelin-zengine/pom.xml)
version: 3.7
Jira issues:
NPE from SystemUtils.isJavaVersionAtLeast under Java 11 EA
affectsVersions:3.7
https://issues.apache.org/jira/projects/LANG/issues/LANG-1384?filter=allopenissues
WordUtils.wrap throws StringIndexOutOfBoundsException when wrapLength
is Integer.MAX_VALUE
affectsVersions:3.7
https://issues.apache.org/jira/projects/LANG/issues/LANG-1397?filter=allopenissues
2 org.apache.httpcomponents httpclient (jdbc/pom.xml)
version: 4.4.1
Jira issues:
Failed to parse cookie max-age attribute
affectsVersions:4.4.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1640?filter=allopenissues
fluent api not kept CookieSpecs from RequestConfig for
HttpClients.custom for fluent.Executor
affectsVersions:4.4.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1645?filter=allopenissues
Caching of proxy auth schemes is broken
affectsVersions:4.4.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1649?filter=allopenissues
HttpClient 4.4.1 sends RST instead of proper FIN ACK sequence when
using non-persistant connections
affectsVersions:4.4.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1655?filter=allopenissues
OSGiRoutePlanner examines only the first proxy exception and also
crashes processing IP address exception
affectsVersions:4.4.1;4.5;5.0
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1710?filter=allopenissues
OSGiCredentialsProvider.java compares the Authscope by .equals()
instead of .match()
affectsVersions:4.4.1;5.0 Alpha1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1718?filter=allopenissues
OSGiProcyConfiguration proxy user field is known as 'proxy.user' to the
metadata but the class uses the 'proxy.username'
affectsVersions:4.4.1;5.0 Alpha1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1719?filter=allopenissues
The deprecated SSLSocketFactory does not contain the SNI fix found in
the SSLConnectionSocketFactory class
affectsVersions:4.4.1;4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1726?filter=allopenissues
org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
Does not account for context class loader
affectsVersions:4.4.1;4.5;4.5.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
Memory Leak in OSGi support
affectsVersions:4.4.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1749?filter=allopenissues
PoolingHttpClientConnectionManager has no option to close long leased
connections
affectsVersions:4.4.1;4.5
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1760?filter=allopenissues
3 org.apache.httpcomponents httpclient (pom.xml)
version: 4.5.1
Jira issues:
Add convenience methods to fluent API class Request
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1696?filter=allopenissues
GET request should support body
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1703?filter=allopenissues
Delete obsolete clone method
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1709?filter=allopenissues
NTLMEngineImpl.Type1Message not thread safe but declared as a constant
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1715?filter=allopenissues
HttpClient 4.5.1 may perform multiple requests on the same connection
despite having "Connection: close" header.
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1723?filter=allopenissues
The deprecated SSLSocketFactory does not contain the SNI fix found in
the SSLConnectionSocketFactory class
affectsVersions:4.4.1;4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1726?filter=allopenissues
org.apache.http.impl.client.AbstractHttpClient#createClientConnectionManager
Does not account for context class loader
affectsVersions:4.4.1;4.5;4.5.1;4.5.2
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1727?filter=allopenissues
Malformed path not handled well
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1803?filter=allopenissues
NTLM authentication error: Unexpected state: MSG_TYPE3_GENERATED
affectsVersions:4.5.1
https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-1882?filter=allopenissues
4 commons-logging commons-logging (pom.xml)
version: 1.1.1
Jira issues:
Unit tests fail on linux with java16
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-117?filter=allopenissues
deadlock on re-registration of logger
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-119?filter=allopenissues
Potential missing privileged block for class loader
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-130?filter=allopenissues
Log4JLogger uses deprecated static members of Priority such as INFO
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-142?filter=allopenissues
LogFactory/LogFactoryImpl ingore Throwable
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-144?filter=allopenissues
LogFactory.nullClassLoaderFactory is not properly synchronized
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-146?filter=allopenissues
SimpleLog.log - unsafe update of shortLogName
affectsVersions:1.1.1
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-147?filter=allopenissues
BufferedReader is not closed properly
affectsVersions:1.1.1;1.2
https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-163?filter=allopenissues
5 commons-cli commons-cli (pom.xml)
version: 1.3.1
Jira issues:
Optional argument picking up next regular option as its argument
affectsVersions:1.3.1
https://issues.apache.org/jira/projects/CLI/issues/CLI-265?filter=allopenissues
HelpFormatter#setOptionComparator(null) doesn't display the values in
inserted order
affectsVersions:1.3.1
https://issues.apache.org/jira/projects/CLI/issues/CLI-266?filter=allopenissues
6 commons-io commons-io (pom.xml)
version: 2.4
Jira issues:
IOUtils copyLarge() and skip() methods are performance hogs
affectsVersions:2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-355?filter=allopenissues
CharSequenceInputStream#reset() behaves incorrectly in case when buffer
size is not dividable by data size
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-356?filter=allopenissues
[Tailer] InterruptedException while the thead is sleeping is silently
ignored
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-357?filter=allopenissues
IOUtils.contentEquals* methods returns false if input1 == input2;
should return true
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-362?filter=allopenissues
Apache Commons - standard links for documents are failing
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-369?filter=allopenissues
FileUtils.sizeOfDirectoryAsBigInteger can overflow
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-390?filter=allopenissues
Regression in FileUtils.readFileToString from 2.0.1
affectsVersions:2.1;2.2;2.3;2.4
https://issues.apache.org/jira/projects/IO/issues/IO-453?filter=allopenissues
Correct exception message in FileUtils.getFile(File; String...)
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-479?filter=allopenissues
org.apache.commons.io.FileUtils#waitFor waits too long
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-481?filter=allopenissues
FilenameUtils should handle embedded null bytes
affectsVersions:2.4
https://issues.apache.org/jira/projects/IO/issues/IO-484?filter=allopenissues
Exceptions are suppressed incorrectly when copying files.
affectsVersions:2.4;2.5
https://issues.apache.org/jira/projects/IO/issues/IO-502?filter=allopenissues
7 commons-codec commons-codec (pom.xml)
version: 1.5
Jira issues:
QuotedPrintableCodec does not support soft line break per the
'quoted-printable' example on Wikipedia
affectsVersions:1.5;1.6
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-121?filter=allopenissues
Non-ascii characters in source files
affectsVersions:1.5
https://issues.apache.org/jira/projects/CODEC/issues/CODEC-127?filter=allopenissues
8 org.apache.commons commons-lang3 (cassandra/pom.xml)
version: 3.3.2
Jira issues:
ISO 8601 misspelled throughout the Javadocs
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1001?filter=allopenissues
Several predefined ISO FastDateFormats in DateFormatUtils are incorrect
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1002?filter=allopenissues
DurationFormatUtils are not able to handle negative durations/periods
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1003?filter=allopenissues
DurationFormatUtils#formatDurationHMS implementation does not
correspond to Javadoc and vice versa
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1004?filter=allopenissues
NumberUtils.createNumber(final String str) Precision will be lost
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1018?filter=allopenissues
Javadoc for EqualsBuilder.reflectionEquals() is unclear
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1035?filter=allopenissues
NumberUtils#isNumber() returns false for "+2" and true for "-2"
affectsVersions:3.1;3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1038?filter=allopenissues
Javadoc for NumberUtils.isNumber() are not clear enough
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1040?filter=allopenissues
Fix MethodUtilsTest so it does not depend on JDK method ordering
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1041?filter=allopenissues
StrSubstitutor.replaceSystemProperties does not work consistently
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1055?filter=allopenissues
NumberUtils.isNumber assumes number starting with Zero is octal
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1060?filter=allopenissues
FastDateParser error - timezones not handled correctly
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1061?filter=allopenissues
Wrong formating of time zones with daylight saving time in
FastDatePrinter
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-1092?filter=allopenissues
TypeUtils.ParameterizedType#equals doesn't work with wildcard types
affectsVersions:3.3.2;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
Fix bug with stripping spaces on last line in WordUtils.wrap()
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-995?filter=allopenissues
FastDateFormat is case sensitive
affectsVersions:3.3.2
https://issues.apache.org/jira/projects/LANG/issues/LANG-996?filter=allopenissues
NumberUtils#createNumber() returns positive BigDecimal when negative
Float is expected
affectsVersions:3.x
https://issues.apache.org/jira/projects/LANG/issues/LANG-1087?filter=allopenissues
9 org.apache.commons commons-lang3 (markdown/pom.xml,shell/pom.xml)
version: 3.4
Jira issues:
TypeUtils.ParameterizedType#equals doesn't work with wildcard types
affectsVersions:3.3.2;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1114?filter=allopenissues
DateUtilsTest.testLang530 fails for some timezones
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1116?filter=allopenissues
StringUtils.stripAccents from "Ł" and "ł"
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1120?filter=allopenissues
JsonToStringStyle doesn't handle chars and objects correctly
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1128?filter=allopenissues
ReflectionToStringBuilder doesn't throw IllegalArgumentException when
the constructor's object param is null
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1132?filter=allopenissues
StrLookup.systemPropertiesLookup() no longer reacts on changes on
system properties
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1141?filter=allopenissues
StringUtils#capitalize: Javadoc says toTitleCase; code uses toUpperCase
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1142?filter=allopenissues
Multiple calls of
org.apache.commons.lang3.concurrent.LazyInitializer.initialize() are possible
affectsVersions:3.4;3.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-1144?filter=allopenissues
EnumUtils *BitVector issue with more than 32 values Enum
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1147?filter=allopenissues
StringUtils#equals fails with Index OOBE on non-Strings with identical
leading prefix
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1162?filter=allopenissues
There are no tests for CharSequenceUtils.regionMatches
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1163?filter=allopenissues
ArrayUtils.removeAll(Object array; int... indices) should do the clone;
not its callers
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1178?filter=allopenissues
TypeUtils.isAssignable throws NullPointerException when fromType has
type variables and toType generic superclass specifies type variable
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1190?filter=allopenissues
FastDateFormat does not support the week-year component (uppercase 'Y')
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1192?filter=allopenissues
ordinalIndexOf("abc"; "ab"; 1) gives incorrect answer of -1 (correct
answer should be 0)
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1193?filter=allopenissues
Fix implementation of StringUtils.getJaroWinklerDistance()
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1199?filter=allopenissues
parseDateStrictly does't pass specified locale
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1202?filter=allopenissues
ClassUtils.getClass(ClassLoader; String) fails for "void"
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1214?filter=allopenissues
NumberUtils.isNumber bug
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1216?filter=allopenissues
FastDateFormat doesn't respect summer daylight in localized strings
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1219?filter=allopenissues
StringUtils#normalizeSpace does not trim the string anymore
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1226?filter=allopenissues
DiffBuilder: Add null check on fieldName when appending Object or
Object[]
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1232?filter=allopenissues
FastDatePrinter Memory allocation regression
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1248?filter=allopenissues
SerializationUtils.ClassLoaderAwareObjectInputStream should use static
initializer to initialize primitiveTypes map.
affectsVersions:3.2;3.3;3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1251?filter=allopenissues
NumberUtils.isNumber and NumberUtils.createNumber resolve inconsistently
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1252?filter=allopenissues
ArrayUtils.contains returns false for instances of subtypes
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1261?filter=allopenissues
CompareToBuilder.append(Object;Object;Comparator) method is too big to
be inlined
affectsVersions:3.4
https://issues.apache.org/jira/projects/LANG/issues/LANG-1262?filter=allopenissues
StrBuilder#replaceAll ArrayIndexOutOfBoundsException
affectsVersions:3.2.1;3.4;3.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-1276?filter=allopenissues
10 commons-lang commons-lang (pom.xml)
version: 2.5
Jira issues:
Testing with JDK 1.7
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-593?filter=allopenissues
Some StringUtils methods should take an int character instead of char
to use String API features.
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-608?filter=allopenissues
SystemUtils.getJavaVersionAsFloat throws
StringIndexOutOfBoundsException on Android runtime/Dalvik VM
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-624?filter=allopenissues
NumberUtils createNumber throws a StringIndexOutOfBoundsException when
argument containing "e" and "E" is passed in
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-638?filter=allopenissues
FastDateFormat.format() outputs incorrect week of year because locale
isn't respected
affectsVersions:2.5
https://issues.apache.org/jira/projects/LANG/issues/LANG-645?filter=allopenissues
Exception when combining custom and choice format in
ExtendedMessageFormat
affectsVersions:2.5;2.6
https://issues.apache.org/jira/projects/LANG/issues/LANG-917?filter=allopenissues
Sincerely~
FDU Software Engineering Lab
calvin...@gmail.com
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
